On 3/15/07, Levan Dvalishvili <[EMAIL PROTECTED]> wrote:
That looks interesting, can I add that to my toolking? One question thought, it is regexp pattern right? So I assume it's evaluated for every request that comes into the system, is not it kind of performance load on the system? But I guess that is the only way to fight XSS.
Not really. The best to fight XSS is to care for the output, not for the input. As long as you write out the user input properly you don't have anything to worry about. Basically the whole discussion is useless, its sufficent to encode < and > properly :-) Leon.
-----Original Message----- From: Joseph McGranaghan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 4:46 PM To: Struts Users Mailing List Subject: Re: Cross site scripting issue Sorry, just noticed a problem in that events filter. (;|>) in the end should be just > in case multiple statements. It's a work in progress :) -Joe Joseph McGranaghan wrote: > I'm currently working on this problem for a website I'm building. > > I found this: > > > on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|dow" + > > "n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|" > + > > "blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|iv" > + > > "escript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\" > + > "W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b|" + > > "[vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=." > + > > "*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|she" > + > > "ll|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)f" > + > > "older|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body" > + > > "\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[" > + > > "|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|inne" > + > "rhtml)|[EMAIL PROTECTED])\b) > > from a mod_security list archive and am using it as a starting point. > > I did a couple of searches on myspace security and got a bunch of good > leads. > I figure they have the most current experience with this. > > Especially helpful in identifying harmful javascript patterns was the > explanation of the myspace samy worm. > Good insight. > > I figure I'll keep modifying regular expressions that are kept in one > central class until I can't slip anything through. > > I know other people are working on this stuff too, they'd have to be. > > Be nice to share some discoveries guys :) > > Here is an events filter I did this mornin: > > > > /* > * events: whitspace eventname = "' javascript '" > > * > * If no ' or ", then goto last ) before > > */ > private final static String XSS_EVENTS_FILTER = > "\\s*(on(abort|activate|afterprint|afterupdate))|"+ > > "(onbefore(activate|copy|cut|deactivate|editfocus|paste|update|print|unload) )|"+ > > > "(on(blur|cellchange|change|click|contextmenu|controlselect|copy|cut|))|"+ > > > "(ondata(available|setchanged|setcomplete))|"+ > > "(on(dblclick|deactivate))|"+ > > "(ondrag|(ondrag(end|enter|leave|over|start)))|"+ > > "(on(drop|error|errorupdate|filterchange))|"+ > > "(onfocus|(onfocus(in|out)))|"+ > > "(on(help|deactivate))|"+ > > "(onkey(down|press|up))|"+ > > "(on(layoutcomplete|load|losecapture))|"+ > > "(on(layoutcomplete|load|losecapture))|"+ > > "(onmouse(down|enter|leave|move|out|over|up|wheel|move))|"+ > > "(onmove|(onmove(end|start)))|"+ > > "(on(page|paste|propertychange|readystatechange|reset|resize))|"+ > > "(onresize(end|start))|"+ > > "(onrow(enter|exit|delete|sdelete|inserted|sinserted))|"+ > > "(on(scroll|select|selectionchange|selectstart|submit|unload))"+ > > "\\s*=\\s*((\'.*\')|(\".*\")|(.*\\(.*(;|>)))"; > > > I the user is trying to slip js in using whitespace instead of quotes, > it defaults to stripping everything including the end of tag > > > Better me than them! > > > > -Joe > > > > > Dale Newfield wrote: >> rapsy wrote: >>> I am trying to find a best solution to prevent Cross site scripting >>> attacks. >> >> Aren't we all. >> >> The best suggestion I've found is in the first comment on >> http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html >> >> >> Basically the suggestion is to Tagsoup parse into XHTML in order to >> filter and allow through only "safe" content. White lists are much >> safer than black lists. >> >> That is basically what I've implemented, but it's still not enough, >> as I mention in the last comment there. Any suggestions on that >> "next step"? >> >> Doing this "correctly" means ensuring that my whitelists are accurate >> and safe. For example, it seems nice to allow style attributes, but >> is that safe? In order to allow css, maybe class attributes should be >> allowed, but are id attributes necessary? Don't I then have to worry >> about using any of those "ajax without javascript" .js libraries? >> Because of those are there specific class attribute values I should >> disallow? >> >> It is clear that this filter is insufficient. For example, I want to >> allow links, so href must be allowed in <a/> tags, but clearly I >> don't want to allow that to be used as a way to trigger javascript so >> I must explicitly check the content of this attribute. That brings us >> right back to an ad-hoc collection of unescapeHtml/indexOf searches >> (for script, eval, etc.). This seems sloppy and unless carefully >> maintained likely to lead to XSS vulnerabilities for my users... >> >> Is there an obvious next step that I'm missing? Does anyone have >> available a table of "safe" tag/attribute combinations? This seems >> like someplace where I'd rather trust someone with more >> knowledge/experience than myself. Have only black-hats focused on >> this problem? Seems ripe ground for a good open-source (white-hat) >> tool... >> >> -Dale >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
